To make sure your password is secure and valid, follow the guidelines in the table below.
Required Action
Benefit Gained
Do not store passwords in a clear text file. Avoids situation where convenience and speedy login are achieved at the expense of security.
Passwords shall be changed or expire in 90 days or less. Reduces likelihood of unauthorized penetration by increasing limiting password useful life.
Do not enable a password to be reused for at least four iterations. Reduces likelihood of unauthorized penetrations by increasing password variability.
Allow only one user per account; never share userIDs or passwords. Provides user accountability.
Never assign a login account a password that is the same string as the userID or that contains the userID. Eliminates this possibility, which is the very first thing any hacker tries once they get a telnet prompt.
Never install a guest or guest account. Prevents penetration via certain well-known vulnerabilities in some user datagram protocol (udp) services.
Deactivate unused accounts monthly. Consider an account unused if no login has occurred in 90 days. Prevents a formerly authorized user from continuing to use the host.
No accounts will be named anonymous, ftp, telnet, www, host, user, bin, nobody, etc. Avoids accounts which are commonly attacked via the password guessing method: e.g., ftp/ftp.
Never set any password equal to the null string, which is equivalent to no password at all. Follows best security practices.
Passwords shall
—Be at least 8 characters in length.
—Contain a combination of alphabetic and numeric characters.
—Contain a nonnumeric in the first and last position.
—Contain no more than three identical consecutive characters in any position from the previous password.
These requirements make it more difficult for a password guesser to obtain passwords. They increase the set of combinations that must be guessed and provide a mixture to defeat a dictionary attack.
Passwords shall not contain any special character. Only use letters and numbers. Special characters in passwords are invalid characters for passwords.
Passwords shall not contain any dictionary word in any language. Prevents dictionary type of attacks.
Passwords shall not contain any proper noun or the name of any person, pet, child, or fictional character. Passwords shall not contain any employee serial number, Social Security number, birth date, phone number, or any information that could be readily guessed about the creator of the password. Helps prevent a password guess based on a hacker’s personal knowledge of the user.
Passwords shall not contain any simple pattern of letters or numbers, such as “qwerty” or “xyz123.” These passwords are favorites a hacker might try early in a dictionary type of attack.
Passwords shall not be any word, noun, or name spelled backwards or appended with a single digit or with a two-digit “year” string, such as 98xyz123. The dictionaries used by hackers are huge, and the Crack V algorithms are clever and thorough.
The manager or owner of the host shall revalidate all userIDs at least annually. Best security practice to clean out userIDs of ex-employees and to verify which userIDs are valid.
